diff options
| author | Paul Eggert | 2011-06-08 10:22:24 -0700 |
|---|---|---|
| committer | Paul Eggert | 2011-06-08 10:22:24 -0700 |
| commit | c9d624c605059127505b6d4baec8f07d6ff731d9 (patch) | |
| tree | 6479c3ac48386543ce3985053d117b25e4a75935 /src/alloc.c | |
| parent | 353032ce71627010043aba9d536a3e739894a1d2 (diff) | |
| download | emacs-c9d624c605059127505b6d4baec8f07d6ff731d9.tar.gz emacs-c9d624c605059127505b6d4baec8f07d6ff731d9.zip | |
* alloc.c: Catch some string size overflows that we were missing.
(XMALLOC_OVERRUN_CHECK_SIZE) [!XMALLOC_OVERRUN_CHECK]: Define to 0,
for convenience in STRING_BYTES_MAX.
(STRING_BYTES_MAX): New macro, superseding the old one in lisp.h.
The definition here is exact; the one in lisp.h was approximate.
(allocate_string_data): Check for string overflow. This catches
some instances we weren't catching before. Also, it catches
size_t overflow on (unusual) hosts where SIZE_MAX <= min
(PTRDIFF_MAX, MOST_POSITIVE_FIXNUM), e.g., when size_t is 32 bits
and ptrdiff_t and EMACS_INT are both 64 bits.
* character.c, coding.c, doprnt.c, editfns.c, eval.c:
All uses of STRING_BYTES_MAX replaced by STRING_BYTES_BOUND.
* lisp.h (STRING_BYTES_BOUND): Renamed from STRING_BYTES_MAX.
Diffstat (limited to 'src/alloc.c')
| -rw-r--r-- | src/alloc.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/alloc.c b/src/alloc.c index db1744bc7cc..fa4f1d38130 100644 --- a/src/alloc.c +++ b/src/alloc.c | |||
| @@ -485,7 +485,9 @@ buffer_memory_full (EMACS_INT nbytes) | |||
| 485 | } | 485 | } |
| 486 | 486 | ||
| 487 | 487 | ||
| 488 | #ifdef XMALLOC_OVERRUN_CHECK | 488 | #ifndef XMALLOC_OVERRUN_CHECK |
| 489 | #define XMALLOC_OVERRUN_CHECK_SIZE 0 | ||
| 490 | #else | ||
| 489 | 491 | ||
| 490 | /* Check for overrun in malloc'ed buffers by wrapping a 16 byte header | 492 | /* Check for overrun in malloc'ed buffers by wrapping a 16 byte header |
| 491 | and a 16 byte trailer around each block. | 493 | and a 16 byte trailer around each block. |
| @@ -1659,6 +1661,18 @@ static char const string_overrun_cookie[GC_STRING_OVERRUN_COOKIE_SIZE] = | |||
| 1659 | 1661 | ||
| 1660 | #define GC_STRING_EXTRA (GC_STRING_OVERRUN_COOKIE_SIZE) | 1662 | #define GC_STRING_EXTRA (GC_STRING_OVERRUN_COOKIE_SIZE) |
| 1661 | 1663 | ||
| 1664 | /* Exact bound on the number of bytes in a string, not counting the | ||
| 1665 | terminating null. A string cannot contain more bytes than | ||
| 1666 | STRING_BYTES_BOUND, nor can it be so long that the size_t | ||
| 1667 | arithmetic in allocate_string_data would overflow while it is | ||
| 1668 | calculating a value to be passed to malloc. */ | ||
| 1669 | #define STRING_BYTES_MAX \ | ||
| 1670 | min (STRING_BYTES_BOUND, \ | ||
| 1671 | ((SIZE_MAX - XMALLOC_OVERRUN_CHECK_SIZE - GC_STRING_EXTRA \ | ||
| 1672 | - offsetof (struct sblock, first_data) \ | ||
| 1673 | - SDATA_DATA_OFFSET) \ | ||
| 1674 | & ~(sizeof (EMACS_INT) - 1))) | ||
| 1675 | |||
| 1662 | /* Initialize string allocation. Called from init_alloc_once. */ | 1676 | /* Initialize string allocation. Called from init_alloc_once. */ |
| 1663 | 1677 | ||
| 1664 | static void | 1678 | static void |
| @@ -1858,6 +1872,9 @@ allocate_string_data (struct Lisp_String *s, | |||
| 1858 | struct sblock *b; | 1872 | struct sblock *b; |
| 1859 | EMACS_INT needed, old_nbytes; | 1873 | EMACS_INT needed, old_nbytes; |
| 1860 | 1874 | ||
| 1875 | if (STRING_BYTES_MAX < nbytes) | ||
| 1876 | string_overflow (); | ||
| 1877 | |||
| 1861 | /* Determine the number of bytes needed to store NBYTES bytes | 1878 | /* Determine the number of bytes needed to store NBYTES bytes |
| 1862 | of string data. */ | 1879 | of string data. */ |
| 1863 | needed = SDATA_SIZE (nbytes); | 1880 | needed = SDATA_SIZE (nbytes); |